Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2024-AVI-0696
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans Moodle. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Moodle versions ant\u00e9rieures \u00e0 4.1.12",
"product": {
"name": "N/A",
"vendor": {
"name": "Moodle",
"scada": false
}
}
},
{
"description": "Moodle versions 4.3.x ant\u00e9rieures \u00e0 4.3.6",
"product": {
"name": "N/A",
"vendor": {
"name": "Moodle",
"scada": false
}
}
},
{
"description": "Moodle versions 4.4.x ant\u00e9rieures \u00e0 4.4.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Moodle",
"scada": false
}
}
},
{
"description": "Moodle versions 4.2.x ant\u00e9rieures \u00e0 4.2.9 ",
"product": {
"name": "N/A",
"vendor": {
"name": "Moodle",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2024-43427",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43427"
},
{
"name": "CVE-2024-43434",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43434"
},
{
"name": "CVE-2024-43425",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43425"
},
{
"name": "CVE-2024-43436",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43436"
},
{
"name": "CVE-2024-43435",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43435"
},
{
"name": "CVE-2024-43437",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43437"
},
{
"name": "CVE-2024-43429",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43429"
},
{
"name": "CVE-2024-43428",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43428"
},
{
"name": "CVE-2024-43438",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43438"
},
{
"name": "CVE-2024-43439",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43439"
},
{
"name": "CVE-2024-43432",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43432"
},
{
"name": "CVE-2024-43431",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43431"
},
{
"name": "CVE-2024-43430",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43430"
},
{
"name": "CVE-2024-43426",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43426"
},
{
"name": "CVE-2024-43440",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43440"
},
{
"name": "CVE-2024-43433",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43433"
}
],
"initial_release_date": "2024-08-19T00:00:00",
"last_revision_date": "2024-08-19T00:00:00",
"links": [],
"reference": "CERTFR-2024-AVI-0696",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-08-19T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Moodle. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Moodle",
"vendor_advisories": [
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0034",
"url": "https://moodle.org/mod/forum/discuss.php?d=461202"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0041",
"url": "https://moodle.org/mod/forum/discuss.php?d=461210"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0035",
"url": "https://moodle.org/mod/forum/discuss.php?d=461203"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0029",
"url": "https://moodle.org/mod/forum/discuss.php?d=461196"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0038",
"url": "https://moodle.org/mod/forum/discuss.php?d=461207"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0040",
"url": "https://moodle.org/mod/forum/discuss.php?d=461209"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0039",
"url": "https://moodle.org/mod/forum/discuss.php?d=461208"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0032",
"url": "https://moodle.org/mod/forum/discuss.php?d=461199"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0028",
"url": "https://moodle.org/mod/forum/discuss.php?d=461195"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0033",
"url": "https://moodle.org/mod/forum/discuss.php?d=461200"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0037",
"url": "https://moodle.org/mod/forum/discuss.php?d=461206"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0030",
"url": "https://moodle.org/mod/forum/discuss.php?d=461197"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0026",
"url": "https://moodle.org/mod/forum/discuss.php?d=461193"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0031",
"url": "https://moodle.org/mod/forum/discuss.php?d=461198"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0027",
"url": "https://moodle.org/mod/forum/discuss.php?d=461194"
},
{
"published_at": "2024-08-19",
"title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-24-0036",
"url": "https://moodle.org/mod/forum/discuss.php?d=461205"
}
]
}
CVE-2024-43427 (GCVE-0-2024-43427)
Vulnerability from cvelistv5
Published
2024-11-11 12:14
Modified
2024-11-12 15:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43427",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:02:44.827202Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:03:14.383Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:14:22.984Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304255",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304255"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461195"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: admin presets export tool includes some secrets that should not be exported"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43427",
"datePublished": "2024-11-11T12:14:22.984Z",
"dateReserved": "2024-08-13T07:15:00.597Z",
"dateUpdated": "2024-11-12T15:03:14.383Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43439 (GCVE-0-2024-43439)
Vulnerability from cvelistv5
Published
2024-11-11 16:00
Modified
2024-11-12 14:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A flaw was found in moodle. H5P error messages require additional sanitizing to prevent a reflected cross-site scripting (XSS) risk.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43439",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:50:51.322123Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T14:55:08.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. H5P error messages require additional sanitizing to prevent a reflected cross-site scripting (XSS) risk."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T16:00:39.212Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304268",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304268"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461209"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: reflected xss via h5p error message"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43439",
"datePublished": "2024-11-11T16:00:39.212Z",
"dateReserved": "2024-08-13T07:15:00.599Z",
"dateUpdated": "2024-11-12T14:55:08.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43431 (GCVE-0-2024-43431)
Vulnerability from cvelistv5
Published
2024-11-07 13:27
Modified
2024-11-07 15:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43431",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:40:53.002108Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T15:55:57.730Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:27:07.968Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304259",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304259"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461199"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: idor in badges allows deletion of arbitrary badges",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43431",
"datePublished": "2024-11-07T13:27:07.968Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-07T15:55:57.730Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43430 (GCVE-0-2024-43430)
Vulnerability from cvelistv5
Published
2024-11-11 12:15
Modified
2024-11-12 15:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A flaw was found in moodle. External API access to Quiz can override contained insufficient access control.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43430",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:57:03.948766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:01:22.872Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. External API access to Quiz can override contained insufficient access control."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:15:36.451Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304258",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304258"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461198"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: lack of access control when using external methods for quiz overrides"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43430",
"datePublished": "2024-11-11T12:15:36.451Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-12T15:01:22.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43433 (GCVE-0-2024-43433)
Vulnerability from cvelistv5
Published
2024-11-11 12:16
Modified
2024-11-12 15:06
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43433",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:02:57.899042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:06:09.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:16:46.270Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304261",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304261"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461202"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: matrix user/power level management not always working as expected with suspended users"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43433",
"datePublished": "2024-11-11T12:16:46.270Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-12T15:06:09.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43428 (GCVE-0-2024-43428)
Vulnerability from cvelistv5
Published
2024-11-07 13:24
Modified
2025-02-10 22:26
Severity ?
VLAI Severity ?
EPSS score ?
Summary
To address a cache poisoning risk in Moodle, additional validation for local storage was required.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:41:01.971776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T22:26:35.081Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "To address a cache poisoning risk in Moodle, additional validation for local storage was required."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:24:11.512Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304256",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304256"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461196"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: cache poisoning via injection into storage",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43428",
"datePublished": "2024-11-07T13:24:11.512Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2025-02-10T22:26:35.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43435 (GCVE-0-2024-43435)
Vulnerability from cvelistv5
Published
2024-11-11 12:17
Modified
2024-11-12 15:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses to restore them into the global site glossary.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43435",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T14:57:03.261082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:01:08.757Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses to restore them into the global site glossary."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:17:26.812Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304263",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304263"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461205"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: can create global glossary without being admin"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43435",
"datePublished": "2024-11-11T12:17:26.812Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-12T15:01:08.757Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43438 (GCVE-0-2024-43438)
Vulnerability from cvelistv5
Published
2024-11-07 13:31
Modified
2024-11-07 16:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A flaw was found in Feedback. Bulk messaging in the activity's non-respondents report did not verify message recipients belonging to the set of users returned by the report.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43438",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:40:31.902345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T16:48:06.773Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Feedback. Bulk messaging in the activity\u0027s non-respondents report did not verify message recipients belonging to the set of users returned by the report."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:31:20.238Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304267",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304267"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461208"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: idor in feedback non-respondents report allows messaging arbitrary site users",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43438",
"datePublished": "2024-11-07T13:31:20.238Z",
"dateReserved": "2024-08-13T07:15:00.599Z",
"dateUpdated": "2024-11-07T16:48:06.773Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43437 (GCVE-0-2024-43437)
Vulnerability from cvelistv5
Published
2024-11-11 12:19
Modified
2025-03-13 14:04
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A flaw was found in moodle. Insufficient sanitizing of data when performing a restore could result in a cross-site scripting (XSS) risk from malicious backup files.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43437",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-11T14:28:15.911800Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T14:04:35.671Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. Insufficient sanitizing of data when performing a restore could result in a cross-site scripting (XSS) risk from malicious backup files."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:19:25.715Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304266",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304266"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461207"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: xss risk when restoring malicious course backup file"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43437",
"datePublished": "2024-11-11T12:19:25.715Z",
"dateReserved": "2024-08-13T07:15:00.599Z",
"dateUpdated": "2025-03-13T14:04:35.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43440 (GCVE-0-2024-43440)
Vulnerability from cvelistv5
Published
2024-11-07 13:32
Modified
2024-11-07 14:38
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A flaw was found in moodle. A local file may include risks when restoring block backups.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43440",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:23:21.250549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T14:38:59.743Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Paul Holden for reporting this issue."
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. A local file may include risks when restoring block backups."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:32:16.113Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304269",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304269"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461210"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: lfi vulnerability when restoring malformed block backups"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43440",
"datePublished": "2024-11-07T13:32:16.113Z",
"dateReserved": "2024-08-13T07:15:00.599Z",
"dateUpdated": "2024-11-07T14:38:59.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43425 (GCVE-0-2024-43425)
Vulnerability from cvelistv5
Published
2024-11-07 13:21
Modified
2024-11-07 14:45
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:41:20.305328Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T14:45:17.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:21:59.014Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304253",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304253"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461193"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: remote code execution via calculated question types"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43425",
"datePublished": "2024-11-07T13:21:59.014Z",
"dateReserved": "2024-08-13T07:15:00.597Z",
"dateUpdated": "2024-11-07T14:45:17.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43434 (GCVE-0-2024-43434)
Vulnerability from cvelistv5
Published
2024-11-07 13:28
Modified
2024-11-07 15:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43434",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:40:44.970094Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T15:56:27.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "The bulk message sending feature in Moodle\u0027s Feedback module\u0027s non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:28:27.671Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304262",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304262"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461203"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: csrf risk in feedback non-respondents report",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43434",
"datePublished": "2024-11-07T13:28:27.671Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-07T15:56:27.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43436 (GCVE-0-2024-43436)
Vulnerability from cvelistv5
Published
2024-11-07 13:29
Modified
2024-11-07 15:57
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A SQL injection risk flaw was found in the XMLDB editor tool available to site administrators.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43436",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:40:37.036006Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T15:57:00.698Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A SQL injection risk flaw was found in the XMLDB editor tool available to site administrators."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:29:57.912Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304264",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304264"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461206"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: site administration sql injection via xmldb editor",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43436",
"datePublished": "2024-11-07T13:29:57.912Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-07T15:57:00.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43426 (GCVE-0-2024-43426)
Vulnerability from cvelistv5
Published
2024-11-07 13:22
Modified
2025-02-10 22:27
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A flaw was found in pdfTeX. Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available, such as those with TeX Live installed.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43426",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:41:10.596625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1287",
"description": "CWE-1287 Improper Validation of Specified Type of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T22:27:06.037Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in pdfTeX. Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available, such as those with TeX Live installed."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T13:22:42.839Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304254",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304254"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461194"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: arbitrary file read risk through pdftex"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43426",
"datePublished": "2024-11-07T13:22:42.839Z",
"dateReserved": "2024-08-13T07:15:00.597Z",
"dateUpdated": "2025-02-10T22:27:06.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43432 (GCVE-0-2024-43432)
Vulnerability from cvelistv5
Published
2024-11-11 12:16
Modified
2024-11-12 15:14
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43432",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:06:57.126320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:14:27.618Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:16:04.901Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304260",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304260"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461200"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: authorization headers preserved between \"emulated redirects\""
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43432",
"datePublished": "2024-11-11T12:16:04.901Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-12T15:14:27.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43429 (GCVE-0-2024-43429)
Vulnerability from cvelistv5
Published
2024-11-11 12:15
Modified
2024-11-12 15:16
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A flaw was found in moodle. Some hidden user profile fields are visible in gradebook reports, which could result in users without the "view hidden user fields" capability having access to the information.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "moodle",
"vendor": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43429",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:15:16.555262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:16:37.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/moodle/moodle",
"defaultStatus": "unaffected",
"packageName": "moodle",
"versions": [
{
"lessThan": "4.1.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "4.2.9",
"status": "affected",
"version": "4.2",
"versionType": "semver"
},
{
"lessThan": "4.3.6",
"status": "affected",
"version": "4.3",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2024-08-19T04:00:00+00:00",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in moodle. Some hidden user profile fields are visible in gradebook reports, which could result in users without the \"view hidden user fields\" capability having access to the information."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"providerMetadata": {
"dateUpdated": "2024-11-11T12:15:00.784Z",
"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"shortName": "fedora"
},
"references": [
{
"name": "RHBZ#2304257",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304257"
},
{
"url": "https://moodle.org/mod/forum/discuss.php?d=461197"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-12T00:00:00+00:00",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2024-08-19T04:00:00+00:00",
"value": "Made public."
}
],
"title": "Moodle: user information visibility control issues in gradebook reports"
}
},
"cveMetadata": {
"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5",
"assignerShortName": "fedora",
"cveId": "CVE-2024-43429",
"datePublished": "2024-11-11T12:15:00.784Z",
"dateReserved": "2024-08-13T07:15:00.598Z",
"dateUpdated": "2024-11-12T15:16:37.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…